Last year, the European Commission launched a drive to simplify existing EU laws on artificial intelligence (AI) and data protection, arguing that this would “boost competitiveness” and “cut red tape”. In November 2025, it unveiled proposals for sweeping changes to major laws like the AI Act and the General Data Protection Regulation (GDPR).
At stake are the rules that protect us on and offline. Corporations work hard to give regulation a bad name, but regulations protect our rights from being steamrolled by states and governments. They protect our environment, our rights at work, our rights online, and so much more.
Backed by powerful corporations, the Commission’s so-called “Digital Omnibus” threatens to weaken EU digital rules that were once seen as global benchmarks for privacy and AI. This plays on a false dichotomy between regulation and innovation, championed by Big Tech, who seek a rules-free environment that prioritizes profit at any cost. True innovation means finding ways to ensure that the benefits of new technologies are shared by society at large, and not serve only the interest of Big Tech oligarchs.
The proposals presented under the guise of “simplification” amount to an unprecedented rollback of rights online at the EU level that protect us from corporate and state surveillance, discrimination at the hands of AI systems, and much more.
Who benefits from AI deregulation/simplification and who is likely to suffer the biggest consequences?
The “simplification” process is a deregulation process that is likely to benefit business interests. For years, Big Tech have been pushing back against attempts to regulate them, framing content governance rules as censorship, and – with the AI boom – pushing for greater access to all our data to feed their surveillance-based business models. The proposed changes to EU laws come at a time when Big Tech companies have been ramping up their lobbying presence in EU institutions in Brussels, with Amazon alone spending €7 million on lobbying in one year.
Pressure is mounting across different areas of regulation, resulting in the rolling back of environmental protections, the weakening corporate governance and erosion of digital rights. It all amounts to a coordinated effort to weaken corporate accountability.
Rolling back these protections puts all of us at risk.
What changes does the “Digital Omnibus” propose?
So far, the Commission has unveiled the “Digital Package” comprised of the Digital Omnibus and the Digital Omnibus on AI Regulation. They affect many laws, especially the GDPR and AI Act.
GDPR
The GDPR is an EU law that protects personal data by governing how organizations collect, use and secure it. However, the Commission’s proposed reforms to GDPR include redefining what constitutes personal data. Civil society has warned that this will weaken protections under the law and potentially allow Big Tech to harvest more personal data for the training and operation of AI systems. In addition, companies are required to remove such data from AI systems but only if it does not require “disproportionate efforts”, a term that is not clearly defined and open to misuse. These special carveouts for AI, as other civil society groups have pointed out, could undermine the core purposes of the GDPR – to protect people from the harm caused by the mass collection and analysis of their personal information.
The reforms also restrict people’s ability to get access to their own data. This is a core right that enables people to know what data is held about them and how it is being used. Proposed changes would allow controllers to refuse requests if they believe the request is for “purposes other than the protection of their data.”
Taken together, these changes would cut holes in the EU’s flagship data protection law, make it easier for companies and states to harvest and manipulate our data, and make it harder for us to know what is being done, let alone prevent it.
The Artificial Intelligence (AI) Act
The AI Act, which is yet to fully come into force, is one of the most ambitious attempts globally to protect people from the harms of AI systems. But proposed changes in the AI Omnibus threaten to undermine this by weakening and delaying implementation of the rules, especially for high-risk systems which pose the most risk to the health, safety or fundamental rights of EU citizens.
Even under the current AI Act, transparency provisions are weak. For example, a provider (i.e. a company) is allowed to determine whether its own system should not be considered a high risk and simply publish this assessment on an EU database. Under the proposed changes, even this minimal safeguard would disappear. AI companies would no longer be required to publish the assessment, giving them free rein to decide the levels of risk their systems pose. This lack of transparency will make it harder for their assessments to be challenged.
These proposed changes would also delay full implementation of the AI Act. This is especially concerning given the AI Act’s “grand fathering” clause, which means high-risk systems rolled out ahead of the deadline would remain free from many obligations designed to mitigate the human rights risks they pose.
Will other laws be affected?
More “simplification” proposals are expected in the pipeline, further watering down our rights to accommodate corporate interests, including a plan to amend existing “better regulation guidelines” which will justify avoiding transparent and participatory policy making.
The planned “digital fitness check” or assessment of existing digital laws’ effect on competitiveness, will include an “evaluation of all the main legal instruments”, including the Digital Services Act (DSA) and Digital Markets Act (DMA) a process which may potentially be used to further justify deregulation.
Why are these regulations so important to human rights?
AI and human rights
As new AI systems are deployed across the world, the need for stronger regulation could not be clearer. All too often these systems rely on massive amounts of private and public data which reflects societal injustices and leads to biased outcomes resulting in further discrimination against some of the most vulnerable in society.
Amnesty International has documented, for example, how legislative changes in Hungary, enabled the use of facial recognition technology (FRT) targeting peaceful assemblies such as the Budapest and Pécs Pride Marches. Elsewhere, the use of AI systems to monitor the movements of refugees and migrants poses grave risks to human rights, including the right to seek asylum. Other forms of AI, such as fraud detection algorithms used as part of the “digital welfare state”, have disproportionately impacted ethnic minorities, low-income individuals, migrants and refugees in several European countries including Denmark, France, Sweden and the Netherlands.
Data protection and human rights
GDPR is one of the most important laws protecting people against abuses of their personal data by Big Tech and states. Though enforcement has been lacking, the potential for this law to serve as a bulwark against the voracious appetite of Silicon Valley’s unlawful surveillance-based business model is vitally important. Data protection laws are amongst the most crucial tools to fight against the mass harvesting of our data, discriminatory profiling, repackaging and analyzing of personal data for resale by data brokers, and online advertising companies. Gaps in data protection laws can also facilitate the sharing and selling of data to state authorities who can use it to profile, surveil, deny us our rights, such as social benefits, or even decide whether to arrest or detain us.
What happens next?
The Commission’s proposals are not a fait accompli. Negotiations will take place in coming months that will decide the final form these proposals take. Already there are encouraging signs that the European Council, and the European Parliament, are pushing back against some of the most harmful provisions in the AI Omnibus. In a recent vote, the EU parliament maintained the registration requirement for high-risk systems, albeit in a weakened form which means the problems remain, and the battle is far from over.
Human rights and the digital fitness check
Alongside the Digital Package, there is also a huge concern around the forthcoming digital fitness check. Its full scope is unknown, and open-ended, but the DSA and DMA have already been mentioned as potential targets for simplification, and these alone are serious cause for concern.
The DSA has the potential to assert some control over dangerous features of the Big Tech business model, including algorithmic amplification. Amnesty International research links platform algorithms to ethnic cleansing against Rohingya Muslims in Myanmar, and grave human rights abuses against Tigrayan people in Ethiopia. In both cases Meta failed to moderate and, in some instances, actively amplified harmful, discriminatory content on Facebook.
Weakening DSA and DMA would leave communities more exposed to harms from monopolies and the effects of anti-competitive practices of Big Tech. Amnesty International’s research has demonstrated that their largely unchecked power across various digital sectors poses serious risks to the right to privacy, the right to non-discrimination, freedom of opinion and access to information, and allows them to influence states to prevent rights-respecting regulation.
Though incomplete – digital rights regulations in the EU offer crucial protections against these sorts of harms. Rather than dismantling them, they need to be strengthened and enforced. People in Europe, and people everywhere around the world whose rights are impacted, should stand up against the Commission’s proposals and call out “simplification” for what it really is: a stripping of our rights to serve the interests of Big Tech and AI.
